LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule wsgi_module /usr/lib64/httpd/modules/mod_wsgi.so

{% if RUCIO_ENABLE_SSL|default('False') == 'True' %}
Listen 443
{% endif %}
Listen 80

Header set X-Rucio-Host "%{HTTP_HOST}e"
RequestHeader add X-Rucio-RequestId "%{UNIQUE_ID}e"
Header set Referrer-Policy "no-referrer"
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"

{% if RUCIO_ENABLE_SSL|default('False') == 'True' %}
{% if RUCIO_SSL_PROTOCOL is defined %}
 #AB: SSLv3 disable
 SSLProtocol              {{ RUCIO_SSL_PROTOCOL }}
{% else %}
 SSLProtocol              all -SSLv3 -TLSv1 -TLSv1.1
{% endif %}
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
{% endif %}

{% if RUCIO_LOG_FORMAT is defined %}
LogFormat "{{ RUCIO_LOG_FORMAT }}" combinedrucio
{% else %}
LogFormat "%h\t%t\t%{X-Rucio-Forwarded-For}i\t%T\t%D\t\"%{X-Rucio-Auth-Token}i\"\t%{X-Rucio-RequestId}i\t%{X-Rucio-Client-Ref}i\t\"%r\"\t%>s\t%b" combinedrucio
{% endif %}

LoadModule authn_core_module modules/mod_authn_core.so
LoadModule cache_disk_module modules/mod_cache_disk.so

CacheEnable disk /
CacheRoot /tmp

{% macro common_virtual_host_config() %}
{% if RUCIO_HOSTNAME is defined %}
 ServerName {{ RUCIO_HOSTNAME }}
{% endif %}
{% if RUCIO_SERVER_ADMIN is defined %}
 ServerAdmin {{ RUCIO_SERVER_ADMIN }}
{% else %}
 ServerAdmin rucio-admin@cern.ch
{% endif %}

{% if RUCIO_LOG_LEVEL is defined %}
 LogLevel {{ RUCIO_LOG_LEVEL }}
{% else %}
 LogLevel info
{% endif %}

{% if RUCIO_ENABLE_LOGS|default('False') == 'True' %}
 CustomLog {{RUCIO_HTTPD_LOG_DIR | default('logs') }}/access_log combinedrucio
 ErrorLog {{RUCIO_HTTPD_LOG_DIR | default('logs') }}/error_log
{% else %}
 CustomLog /dev/stdout combinedrucio
 ErrorLog /dev/stderr
{% endif %}

 Alias /media                 /usr/local/lib/python3.9/site-packages/rucio/web/ui/media
 Alias /static                /usr/local/lib/python3.9/site-packages/rucio/web/ui/static
{% if RUCIO_SERVER_TYPE|default('api') == 'flask' %}
 WSGIScriptAlias /            /usr/local/lib/python3.9/site-packages/rucio/web/ui/flask/main.py
{% else %}
 WSGIScriptAlias /            /usr/local/lib/python3.9/site-packages/rucio/web/ui/main.py
{% endif %}

{% if RUCIO_PROXY is defined %}
 ProxyPass /proxy             {{ RUCIO_PROXY_SCHEME | default('https') }}://{{ RUCIO_PROXY }}
 ProxyPassReverse /proxy      {{ RUCIO_PROXY_SCHEME | default('https') }}://{{ RUCIO_PROXY }}
{% endif %}
{% if RUCIO_AUTH_PROXY is defined %}
 ProxyPass /authproxy             {{ RUCIO_AUTH_PROXY_SCHEME | default('https') }}://{{ RUCIO_AUTH_PROXY }}
 ProxyPassReverse /authproxy      {{ RUCIO_AUTH_PROXY_SCHEME | default('https') }}://{{ RUCIO_AUTH_PROXY }}
{% endif %}
{% if RUCIO_HTTPD_ADDITIONAL_PROXY_CONF is defined %}
 ProxyPass {{ RUCIO_HTTPD_ADDITIONAL_PROXY_CONF}}
 ProxyPassReverse {{ RUCIO_HTTPD_ADDITIONAL_PROXY_CONF }}
{% endif %}
{% if RUCIO_HTTPD_PROXY_PROTOCOL_ENABLED | default('False') == 'True' %}
 RemoteIPProxyProtocol On
 RemoteIPProxyProtocolExceptions 127.0.0.1 ::1 {{ RUCIO_HTTPD_PROXY_PROTOCOL_EXCEPTIONS | default('') }}
{% endif %}
{% endmacro %}

<VirtualHost *:80>
{% if RUCIO_ENABLE_SSL|default('False') == 'True' %}
 {% if RUCIO_HOSTNAME is defined %}
 Redirect / https://{{ RUCIO_HOSTNAME }}/
 {% else %}
 Redirect / https://localhost/
 {% endif %}
{% else %}
 {{ common_virtual_host_config()}}
 {% endif%}
</VirtualHost>

{% if RUCIO_ENABLE_SSL|default('False') == 'True' %}
<VirtualHost *:443>
{{ common_virtual_host_config()}}
{% if RUCIO_ENABLE_SSL|default('False') == 'True' %}
 SSLEngine on
 SSLCertificateFile /etc/grid-security/hostcert.pem
 SSLCertificateKeyFile /etc/grid-security/hostkey.pem
{% if RUCIO_CA_PATH is defined %}
 SSLCACertificatePath {{ RUCIO_CA_PATH }}
 SSLCARevocationPath {{ RUCIO_CA_PATH }}
{% elif RUCIO_CA_FILE is defined %}
 SSLCACertificateFile {{ RUCIO_CA_FILE }}
 SSLCARevocationFile {{ RUCIO_CA_FILE }}
{% else %}
 SSLCACertificateFile /etc/grid-security/ca.pem
 SSLCARevocationFile /etc/grid-security/ca.pem
{% endif %}
 SSLVerifyClient optional
 SSLVerifyDepth 10
{% if RUCIO_HTTPD_LEGACY_DN|default('False') == 'True' %}
 SSLOptions +StdEnvVars +LegacyDNStringFormat
{% else %}
 SSLOptions +StdEnvVars
{% endif %}
 SSLProxyEngine On
{% endif %}
</VirtualHost>
{% endif %}

